Snow
Forest
Mountains
Snow
Snow

Author Archives: admin

Whatsapp Remote Code Execution Vulnerability

Category : Blog

Trending WhatsApp Remote Code Execution Vulnerability that let the Hackers hack Android Devices by using Just a GIF Image

 

 

A new WhatsApp vulnerability that has been discovered by a security researcher. In this vulnerability, a hacker can compromise user chat sessions, files, and messages through malicious GIFs. Today, this short looping clips, GIFs are everywhere – on social media, on your messaging applications, on your chats, helping users to express their emotions, making people laugh and make fun. Even people make gifs of themselves.

WhatsApp Messenger is a freeware, cross-platform messaging service owned by Facebook. It allows users to send text messages and voice messages, also make voice and video calls, and share images, documents, user locations, contacts, and other media and has a billion users across the globe. There is this security vulnerability, and it remained unpatched for months. And it potters that if this
vulnerability is exploited by the attacker then it could have the attacker to hack the device and steal user data. It is found in Android versions below 2.19.244.

What is WhatsApp RCE Vulnerability?

RCE is Remote Code Execution Vulnerability. It is a double-free vulnerability that lies in the Gallery view implementation. A double-free vulnerability is when the free() parameter is called twice on the same value and argument in the application. And in this case, the memory may leak or become corrupted, giving attackers all the
opportunity to overwrite elements. And it is generally used by developers to develop a preview whenever a user wants to upload or send the file to people.
The overwriting of the elements can simply happen with the payload which will be executed in the WhatsApp content. Which will give the permission to read and access the SDCard and message database? The Malicious code/Payload will have all the permissions of the WhatsApp like, audio recording, accessing the camera, accessing photos, contacts and files/documents. Even the sent box which will have all the data.

How is WhatsApp RCE Vulnerability exploited?

This vulnerability is exploited by the hackers, wherein the hacker needs to send a specially crafted malicious GIF file to targeted Android phones via any online communication channel and then wait for a gallery by tapping the Paperclip Button or the attachment icon in WhatsApp.

The target here said, “WhatsApp shows the preview of all media like photos, GIFs including the ones that are received. And due to which double-free vulnerability and RCE exploit is triggered.” The security flaw is patched with CVE-2019-11932, the exploit is titled as WhatsApp 2.19.216 – Remote Code Execution
The vulnerability has been patched in the new updates of WhatsApp. But if the users are using the versions 2.19.244 or below than that, then it is highly recommended the users to update their WhatsApp app to the latest version from the Google Play Store as soon as possible.


Python

HOW TO IMPROVE YOUR PYTHON SKILLS ?

Category : Blog

HOW TO IMPROVE YOUR PYTHON SKILLS ?

Python is not mostly used language but it is well designed as compare to other language and delivers many features that can help a newcomers to became a good developer and establish developer can switch to python. As compared to other language like C , C++ and java Python is constantly growing.  As a language, it is aspect-oriented which means there are modules with different functionality. So first the developer has to create the modules and afterwards, based on the “if then” action, depending on the user’s action, the algorithm triggers a particular block and brings the result. The Python language has a variety of uses in the software field, but developers are mostly dealing with backend components, connecting applications and giving support to frontend developers in web applications. Of course, you might create applications with use of different languages but pretty often Python is the language chosen for it – and there are reasons for that!

 

PYTHON SKILLS

 

Lets talk about the skills now ! What are the technical and soft skills you need became a good developer ?

PYTHON :

Quite obvious, Python is the main language which you are going to use at work to finish the project. Fortunately, if you are a developer but focused on other languages, the language switch might come with ease. Python is the general-purpose programming language with constantly increasing demand for. Due to relatively easy learning path, it is beginner-friendly and definitely experienced-developer-friendly as well! There is no need to know each module but at least, regardless of basic syntax and semantics, the differences between Python 2 and 3. A good Python dev can smoothly adjust to those, however, it is not a big deal because the distinction is rarely required. It is also advisable to know python’s data structures. While you do not have to learn by heart how to implement a b-tree, knowing what lies under the hood of a set, dict or list will come in handy both in small and big projects.

 

Frameworks for Python

 

Frameworks for Python :  

Knowing Python frameworks is a must, however, it doesn’t mean that a Python developer has to know them all. Depending on the project you may be asked to know one or another, used are Django, Flask, and CherryPy.  Undoubtedly, if you already know Python, you had a chance to work with at least one of the most popular frameworks! The basic and well-defined structure offered by the frameworks is usually appreciated by devs while figuring out the core logic of the application.

 

 

ORM library familiarity

 

ORM library familiarity :  

Using and connecting application through an ORM (Object Relational Mapper) like SQLAlchemy, Django ORM and so on is easier, faster and more efficient than writing SQL – which means, more likely it is preferred by the team. Good to have it in your skillset!

 

Basic knowledge of front-end technologies :  

Very often any python developer has to cooporate with frontend team to make match the server side with the client-side . Now its important to understand how the frontend works , what’s possible and what’s not , how the application is going to appear. But Of course, in proper agile software houses, there is also a UX team, project/product manager and SCRUM master to coordinate the workflow. It doesn’t mean that a frontend is a must-know for a Python dev but definitely, in some projects, this kind of knowledge and experience is more than welcome.

 

AI and Machine Learning  :

This will be a huge plus for you if you know what is it about! AI and Machine Learning (as well as deep learning) are constantly growing as a field – Python is a perfect programming language for that. If you are into data science, then definitely digging in the Machine Learning topic would be a great idea.

 

Python Libraries :

Libraries make a developer’s life easier, the team’s workflow more efficient and task’s execution way faster. Depending on the projects nature, it is better to know the libraries which are going to help you in everyday work. Python, as a community-based programming language, has an answer to almost any possible request. Some of the library function like Requests , Scrapy , Wxpython , Pillow , SQLAlchemy and so on.

 

Version control :

Keeping track of every change made to the file to later on source the code is a must-know for each developer! In most of the job offers you can see this as a requirement – thankfully it is not difficult to get familiar with and if you have been coding since a while, you have properly set your GitHub and terms like “push, fork, pull, commit” are not random words for you.

 

Communication :

Let’s not forget that a developer’s work is not only typing the lines of code! In best software development firms the teams are made out of amazing programmers which work together to achieve the final goal – no matter if it means to finish the project, to create a new app or maybe to help a startup skyrocket. However, working in a team means that a developer has to communicate well – not only to get the stuff done but also to keep the documentation clear so others can easily read and follow the thinking path to fully understand the idea.

 

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore


Benefits of learning java programming language

Category : Blog

Benefits of learning java programming language

 

Java is a general-purpose, high-level programming language developed by Sun
Microsystems. who initiated the language in 1991.
Java is a widely-used programming language. It is also among the most favored for the development of edge devices and the internet of things.
It can also be used to build a small application module or applet for use as part of a webpage.Java can be used to create complete applications that may run on a single computer or be distributed among servers and clients in a network.

Why Became Popular?

Java source code is compiled into Java byte code, which can run anywhere in a network, on a server or on a client environment that we are called Java virtual machine (JVM).
The JVM interprets convert to byte code into code that will run on computer hardware. In contrast, most programming languages, such as COBOL or C++, will compile code into a binary file. Binary files are platform-specific. The JVM includes an optional just-in-time (JIT) a compiler that dynamically compiles byte code into executable code. In many cases, the dynamic JIT compilation is faster than the virtual machine interpretation.

Features of Java

Object-oriented Concept

 

An object is made up of data as fields or attributes and code as procedures or methods. An object can be a part of a class of objects to inherit code common to the class. The main aim of OOP is to bind together the data and the functions that operate on them so that no other part of the code can access this data except that function.

Exception Handling in Java

To make a robust and well-behaved application, Java offers an exception handling mechanism using to maintain the normal execution control flow when an exception occurs. The Java exception-handling mechanism contains five keywords: try, catch, throw, throws, and finally.

Interpreted language

Java byte code is translated on the fly to native machine instruction & it’s not stored anywhere. The development process is more rapid and analytical since linking is an incremental and light-weight process.

 

Benefits of Java

Data Security

Unlike C++, Java does not use pointers concept, which can be unsecured. but in java environment Data converted to byte code, this code is not possible to read by humans. Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs, and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.

Desktop GUI applications

A java GUI application uses the standard java components GUI set, swing & is deployed to the desktop. Java Swing is a lightweight graphical user interface that means a GUI toolkit that includes a rich set of widgets. It includes packages that let you make GUI components for your java applications & it is platform-independent.

Scientific Applications

Java supports scientific application development, because of it is security very powerful, robustness features, much scientific application based on java technology.
Web Applications These are the main component of java which helps to develop the web-based applications. We can develop can kind of web-based application which helps with these technologies.

Mobile Applications

In Today’s world, every second phone has an android OS which is based on Java. Java is the technology of choice for building applications using managed code that can execute on mobile devices.

 


10 Reasons to why should you became a Microsoft Azure Certified

Category : Blog

10 Reasons why should you become a Microsoft Azure Certified

 

In recent years, the entire concept of computing has seen a drastic change and
seen a lot of improvement and evolved from traditional computing to cloud
computing. So the important aspect of cloud computing is that the data is shared
across the cloud and the data is available on the demand.

With the help of cloud computing facilities, all the computing resources are shared
across so that the data can be accessed from any part of the world with minimal
effort. With cloud computing got into the pictures, users and enterprises have the
possibility to store the data in the cloud.

It has seen a lot of attraction because it is one of the cost-effective solutions where
the companies don’t have to invest in any of the infrastructure cost personally.
However, if you don’t have any experience using cloud services, you should first
get Azure training and become a certified expert. Here are ten reasons why you
should get a Microsoft Azure certification training before using cloud services.

 

 

 

1. Career flexibility :

Microsoft Azure certifications are very important when pursuing a career
in cloud computing, and it offers flexible career options. Microsoft Azure
certifications help secure credible roles such as cloud administrator, developer,
security engineer, AI engineer, data engineer, solutions architect, and DevOps
engineer. Microsoft Azure offers nine role-based certifications that not only
increase your versatility in the role you are in, but also in the industry you are
working in.

The best part about using Microsoft Azure is that you don’t have to learn
how to operate so many different tools. Azure offers all the commonly used
tools including Hadoop, Xcode, Eclipse, Github, etc. to make it easier for
newcomers to adapt and start using this platform. Additionally, with a concise
learning process, you can get your certification faster and start your career. You
can find lots of study material available online in the form of detailed guides
and tutorial videos, as well.

2. Structured learning :

 


The structured learning methodology to get Microsoft Azure
certifications lead you to learn different tools easily. Candidates find many
common tools such as Hadoop, GitHub, Eclipse, etc. that are easy to learn, and
newly interested candidates can easily adapt to the Azure platform and services
with simplicity and ease.
Most importantly, fresh candidates can improve their Azure learning and
career path with a faster, more concise learning process. Many online resources
such as tutorials, ebooks, and courses are available to learn the theoretical and
practical concepts of Azure services. So the learning curve is not that hard
compared to the other competitors.

3. Higher Salaries :

As the skill is special compared to the other standard technologies, the
individuals who are into cloud computing gets more salary when compared
to others. The average salary for the individual who is into Azure is about

$53,602 per annum. IF you have made it to the senior level where you act as
a Senior Software Architect, then you can expect about $164,170.
Also comparing the industry standard across different companies, the
basic average salary per annum is about $40,914.

4. Progressive career development :

Microsoft Azure is one of the leading cloud service providers and offers nine
role-based Azure certifications based on market requirements. By earning
any or all of the Azure role-based certifications, you can ensure professional
career development and recognization in the market. Currently, most
businesses are adopting Azure cloud services and the demand for Microsoft
Azure certified professionals is increasing.

Azure certifications offer a wide range of professional tracks, including
Azure administrator, architect, developer, security engineer, AI engineer,
data scientist, and data engineer, enabling you to become a leading cloud
professionals in the market. There are currently 6,000,000+ government
employees who are using Azure cloud services. As a Microsoft Azure
certified professional, you have a better opportunity to land up a job in the
government sector.

5. Complete environment :

The main difficulty with most of the software applications is not having a
perfect environment for complete testing. Microsoft Azure Cloud has also
addressed this as it provides close integrations for the overall solutions. The
applications built using their platforms will help the organizations to
develop, test and deploy easily.
All the mobile and web applications are completely integrated using their
API and the teams can kick-start the development processes.
6. Beneficial cloud service provider :
Choosing the right cloud service provider is very important for businesses
because all of their data or processing is dependent on their availability.
Azure guarantees 99.9% uptime where there are no technical glitches are

seen. Also, Azure cloud services provide Paas, hybrid solutions and also an
array of beneficial services.
So the uptime of the applications is not at all compromised.

7. Certification will boost your career and salary:

With a Microsoft Azure certification, you can certainly become a
successful developer and earn a handsome salary. The demand for such
experts is on the rise with many top businesses switching over to cloud
services. The following are a few certifications you can get to kick start your
career in this industry :
o Microsoft Certified Solutions Expert (MCSE)
o Microsoft Certified Solutions Developer (MCSD)
o Microsoft Certified Solutions Associate (MCSA)

 

8. Hybrid Capabilities :

 

Microsoft Azure is packed with hybrid services that permit your data
to be accessed from all over the world. The hybrid connections include
Content Delivery Networks (CDN), Virtual Private Networks (VPN), and
ExpressRoute, which improve user experience and performance. Many other
cloud service providers are still unable to offer such protocols.

9. Security offering :

Microsoft Azure is packed with hybrid services that permit your data
to be accessed from all over the world. The hybrid connections include
Content Delivery Networks (CDN), Virtual Private Networks (VPN), and
ExpressRoute, which improves user experience and performance. Many other
cloud service providers are still unable to offer such protocols.

10. Enterprise agreement Advantage :

All the organizations that are already using Microsoft software for
their development activities then they are automatically enrolled under the
“Enterprise Agreement” advantage. So the use of this agreement will help
the organizations to get competitive prices and extra discounts on the new

software products and on the Azure cloud services. This is a boon for all the
organizations so that they can try out all different services from Microsoft
without actually paying a hefty amount. Using this facility small companies
can also afford cloud services at minimal prices and offer a great value-
added product to the market.

 

Conclusion:

Microsoft Azure is an all-around cloud service that allows
users, both businesses and individual developers, to maximize the efficiency
of their processes and benefit from its cost-effectiveness. It is recommended
that you invest time and energy in acquiring a certification in this technology
to streamline your business operations and reach new heights of success.

 


AWS: Expectation vs. Reality

Category : Blog

AWS: Expectation vs. Reality

 

 

Amazon Web Services(AWS) is a cloud service from Amazon, which provides services in the form of building blocks, these building blocks can be used to create and deploy any type of application in the cloud. These services or building blocks are designed to work with each other, and result in applications that are sophisticated and highly scalable.

AWS is hitting the markets big time. Today the stability and demand of engineers in this niche are at its all-time high. However before diving in it completely it is imperative to understand what exactly it does and how beneficial it is. Putting it in simpler words it is important to understand the difference between expectations and reality. There is no denial of the fact that more and more companies are now moving towards cloud-based solutions. This huge shift of pendulum has benefited AWS tremendously as no other solution comes close to what they offer. This is the reason why engineers today are enrolling in AWS Training in Kolkata to better understand it.

 

 

 

Set-Up

Expectation: Setting it up will not be difficult as Amazon wants more and more companies to use its solution. So they would have made it as simple as possible.

Reality: Yes Indeed, setting it up is actually quite simple. All kinds of tutorials are available online to ensure engineers are able to go about their stuff smoothly. From running the database to hosting a website there is a tutorial available for each of these services.

 

Cost

Expectation: Since it is an Amazon product so it will be on a higher side of the budget. Also at the minute, it is enjoying a good monopoly so amazon can price it as per its liking.

Reality: Contrary to the expectations, AWS is actually very cost-effective. Not only you will be able to save money by notching up your productivity but overall also the cost of its deployment and usage is not much as compared to other available marketing solutions.

 

Security

Expectation: No doubt cloud based solutions are effective but you have to compromise on security. AWS security can easily be breached, so developers have to be careful while using it.

Reality: When it comes to security, they are second to none. Amazon at its own end has done quite a bit to ensure proper security to its users. No doubt developers have to be careful while deploying their solutions still services offered by Amazon in this regard is awesome, all the more reason why it is a perfect time to be in AWS Training.

 

Future

Expectation: AWS is good and in demand but this is the best it can offer so it is good to get into in now and look for options later

Reality: Though AWS enjoys a great market hold but its story doesn’t end here. In fact, every few months they are adding on to their current set of services. Working hard to their already successful system and helping their customers to grow even bigger. The best thing about these solutions is the more you use them the better they get. This is the reason why more and more people are using it. These solutions are going to stay, so if you are interested to join an AWS Course in Kolkata today and make a difference.

 

Conclusions:

AWS offers the largest global footprint in the market. No other cloud provider offers as many regions with multiple Availability Zones, with 69 Availability Zones (AZs) within 22 geographic regions around the world, and announced plans for 10 more AZs and three more AWS Regions in Indonesia, Italy, and South Africa.

AWS Regions each have multiple AZs that are physically separated and isolated from each other and are connected by low latency, high throughput, and highly redundant networking. The AWS Region/AZ model has been recognized by Gartner as the recommended approach for running enterprise applications that require high availability.


Introduction to DevOps

Category : Blog

 

Introduction to DevOps

 

DevOps is not a tool or a team, it is the process or a methodology of using various tools to solve the problems between the Developers and the Operations team in an organization, hence the term came “Dev-Ops”.

The development team always had the pressure of completing the old, pending work that was considered faulty by the operations team. With DevOps, there is no wait time to deploy the code and getting it tested. Hence, the developer gets instantaneous feedback on the code, and therefore can close the bugs, and can make the code production ready faster!

 

The business Values of DevOps

 

2018 was proclaimed the year of enterprise DevOps by Forrester, as more than 50% of enterprises worldwide have already done their DevOps transformation or are in the process of it. Here We will explain this below, with some examples of how DevOps helps companies across various industries succeed.

In short, implementing DevOps best practices and workflows helps businesses save time and money, increase software lifecycle predictability, build a corporate culture around innovation and keep motivation levels high. We will discuss it in detail.

DevOps Saving time and money: DevOps principles of IaC, CI, and CD help ensure the uniformity of task scenarios and infrastructure immutability, so automation becomes 100% efficient and helps greatly reduce the amount of time and effort spent on routine and repetitive tasks.

DevOps Training in Kolkata

 

 

DevOps Tools

 

Tools you’d use in the commission of these principles. In the DevOps world, there’s been an explosion of tools in release (Jenkins, Travis, TeamCity), configuration management (puppet, chef, ansible, cfengine), orchestration (zookeeper, Noah, Mesos), monitoring, virtualization and containerization (AWS, OpenStack, vagrant, docker) and many more. While, as with Agile, it’s incorrect to say a tool is “a DevOps tool” in the sense that it will magically bring you DevOps, there are certainly specific tools being developed with the express goal of facilitating the above principles, methods, and practices, and a holistic understanding of DevOps should incorporate this layer.

 

 

Most Influential Benefits Of DevOps

 

Speed: DevOps practices let you move at the velocity you need to innovate faster, adapt to changing markets better, and become more efficient at driving business results.

Rapid delivery: When you increase the pace of releases, you can improve your product faster and build a competitive advantage.

Reliability: DevOps practices like continuous integration and continuous delivery can ensure the quality of application updates and infrastructure changes so you can reliably deliver at a more rapid pace while maintaining an optimum experience for end-users.

Improved collaboration: Under a DevOps model, developers and operations teams collaborate closely, share responsibilities, and combine their workflows. This reduces inefficiencies and saves time.

Security: You can adopt a DevOps model without sacrificing security by using automated, integrated security testing tools.

 

 

 

 

Conclusion

 

DevOps is a revolution that aims at addressing the wall of confusion between development teams in big corporations having large IT departments where these roles are traditionally well separated & isolated.

Now, what about smaller corporations that don’t necessarily have split functions between developers & operations?

Adopting DevOps principles & practices, such as deployment automation, continuous delivery and flipping still bring a lot.


ICSS Saved Harvard University from Hackers.

Category : Uncategorized

ICSS Saved Harvard University from Hackers.

 

ICSS team member Pritam Mukherjee has founded a vulnerability on the website of Harvard University and it is resolved now from their end. It is a proud moment for ICSS.

 

What is cross-site scripting (XSS)

 

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

 

Cross-Site Scripting (XSS) attacks occur when:

 

  1. Data enters a Web application through an untrusted source, most frequently a web request.
  2. The data is included in dynamic content that is sent to a web user without being validated for malicious content.

 

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

 

How to find and test for XSS vulnerabilities

The vast majority of XSS vulnerabilities can be found quickly and reliably using any web vulnerability scanner.

Manually testing for reflected and stored XSS normally involves submitting some simple unique input (such as a short alphanumeric string) into every entry point in the application; identifying every location where the submitted input is returned in HTTP responses; and testing each location individually to determine whether suitably crafted input can be used to execute arbitrary JavaScript.

Manually testing for DOM-based XSS arising from URL parameters involves a similar process: placing some simple unique input in the parameter, using the browser’s developer tools to search the DOM for this input, and testing each location to determine whether it is exploitable. However, other types of DOM XSS are harder to detect. To find DOM-based vulnerabilities in non-URL-based input (such as document.cookie) or non-HTML-based sinks (like setTimeout), there is no substitute for reviewing JavaScript code, which can be extremely time-consuming. Any web vulnerability scanner combines static and dynamic analysis of JavaScript to reliably automate the detection of DOM-based vulnerabilities.

 

How to Protect Yourself

 

The primary defenses against XSS are described in the OWASP XSS Prevention Cheat Sheet.

Also, it’s crucial that you turn off HTTP TRACE support on all web servers. An attacker can steal cookie data via Javascript even when document.cookie is disabled or not supported by the client. This attack is mounted when a user posts a malicious script to a forum so when another user clicks the link, an asynchronous HTTP Trace call is triggered which collects the user’s cookie information from the server, and then sends it over to another malicious server that collects the cookie information so the attacker can mount a session hijack attack. This is easily mitigated by removing support for HTTP TRACE on all web servers.

 

How to Determine If You Are Vulnerable

 

 

XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.

 

 

 

 

 


Why Shopping Mall is being targeted by Hackers?

Category : Blog

Why Shopping Mall is being targeted by Hackers?

Last few years were critical for many companies in the E-commerce sector, due to the high amount of cyber-attacks and emerging threats.

 

Study of Business Insider shows that for the period of one year at least 16 separate security breaches have occurred at large retailers. Many of them are due to security flaws in payment systems.

 

Recent report by shape Security showed that many people that log in to a retailer’s E-commerce site are hackers using stolen data. This is the highest percentage of any sector. Some of the largest retailers like Adidas, Macy’s, Best Buy, Forever 21 and others have been affected. Large amount of compromised data is being sold on “dark web”, including databases with personal data, credit card numbers and confidential corporate data, used by the competitors.

 

Lets See What CEO of Indian Cyber Security Solutions, Mr. Abhishek Mitra has said about this

 

 

 

Another issue in the sector is being caused by the high amount of IoT devices, which allow more and better ICMP and DDOS attacks to be crafted. Many vulnerabilities are caused due to input validation errors, client side gaps, vulnerabilities in database servers or network related vulnerabilities.

It is very important for an E-commerce organization to provide layered security infrastructure, as well as to perform regular assessments in order to check the security of their systems, networks, web and mobile applications and employees.

GDPR and other law requirements provide a strong challenge for most organizations, operating with personal data.

In the white paper we will observe the following topics:

  • Some of the issues that you can face.
  • Famous attacks in the sector.
  • Protection mechanisms.
  • Basic security measures.

 

 

Attacks Shopping mall industry have seen in past

 

Malware

Malware is malicious software, developed by malicious hackers to gain access or cause damage to a computer system or network, often without the knowledge of the affected user.
Malware is often called ‘computer virus’, although there are big differences between these types of malicious software.

Magento and other E-commerce platforms are particularly vulnerable to widespread malware infections due to their prevalence in the market. Malware can perform an extremely wide range of activities. It can use your computer as part of a botnet in order to launch DDOS attacks, steal credit card numbers or sensitive account information from the users of your website. A famous malware, intended to target Magento sites, had the functionality to extract credit card information and store it in images so that the attacker could easily access it without raising any alarms.

 

 

 

 

Log Injection

Log files can be used by an attacker to inject malicious content or forge log entries if there is a vulnerability which allows unvalidated user input to be written in the logs.

Log injection vulnerabilities occur when the data comes from an untrusted source or the data is written to an application or system log file.
Log files are typically used by the applications to store a history of events or transactions which could be later reviewed. Logs could also be used for statistics gathering, or debugging. Depending on the application’s functionality, log files could either be reviewed manually or with the help of automated tool that automatically reads logs and searches for trending information or important events.

Log files might get corrupted if an attacker can supply data to the application that is subsequently logged verbatim.

 

 

 

 

Bad bots

Bots have many names – crawlers, spiders, Internet robots, web bots and more. They are frequently used to perform repetitive jobs and simple tasks, like indexing a search engine. However they often come as part of a malware. They are used to gain full control over a computer system. Some of them have the functionality to infect the host and connect back to a CNC (command and control) central server(s), which could be used to control a network of compromised computers and hosts.

 

  • Fraud – Bots can prevent your legit users from purchasing items by sending many purchasing requests for an item in order to make it appear out of stock for your clients. They can also list your items for sale in other sites at a lower price. Bots could also be used to attempt to brute-force the credentials of your consumers. In case of a successful login they can also resell the information to a third party. In case that someone is able to use the credit card of your clients, that could ruin the trust among them.

 

  • Price Scraping – Price scrapping is a technique used to craw an online store for its prices along with product catalog information, with the help of bots. It is often used by competitors in order to steal the dynamic pricing of a website, which is extremely important in the E-commerce platforms. The reason for this is that many consumer-buying decisions and revenue forecasts rely on the real-time dynamic pricing. Such hacking method would allow the competitors to set prices lower than baseline prices in the marketplace and therefore attract more consumers.

 

  • Analytics Bots can have a high impact on the analytics of your selling campaign, by imitating human behavior. Many of them use scripting code like JavaScript, which is also the mechanism most analytics tools are using to bounce rate, conversion rate, count page views and more. Such attacks could convince you to spend more money on advertising, compromise your metrics and lower your conversion rate.

 

Phishing

Hackers may try to attack your E-commerce business by launching phishing campaigns. For the purpose they might craft fake emails, phone calls and SMS messages. Hackers can also inject malicious JavaScript snippets to checkout pages in popular E-commerce platforms like Magento, Woo Commerce, PrestaShop and others. Many merchants use PayPal as a payment method, which means that if PayPal account gets suspended it will limit the consumer’s ability to purchase new items. That makes merchants to consider important if they receive an email claiming to suspend their account due to malicious or unusual activity. If they lack security awareness, merchants may follow a fake page link and according to the instructions provide their login credentials. They can also download, complete and submit invoices, bills and proposals in the form of attachment, which will provide the cybercriminal with their user names and passwords and full access to the merchant’s PayPal account. The attachment could also auto-install malicious software on the victim’s computer.

 

DDoS

 

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Online stores are especially vulnerable to those attacks especially during discount periods, like Black Friday. However, there are easy to implement measures, to protect against such type of attacks.

 

Vulnerabilities in firewall

 

Firewalls are usually important assets of every network security infrastructure. Their job is to restrict the inbound do outbound access and vice versa to specific IP addresses and networks. Firewall vulnerability might be caused because of an error made during firewall design, implementation, or configuration that can be exploited to attack the trusted network behind the firewall. Some common firewall vulnerabilities and misconfigurations include:

  • Allowed ICMP traffic.
  • Blocking traffic, instead of dropping it.
  • Lack of port restriction.
  • Unrestricted access to specific IPs and networks.
  • Unnecessarily open TCP and UDP ports.

 

 

Preventive measures in Shopping Mall industry:

  1. Trademark your company name and logo
  2. Use a trusted ecommerce platform
  3. Use HTTP with SSL = HTTPS
  4. Make sure your site is PCI DSS compliant
  5. Keep your site updated
  6. Require strong passwords
  7. Know the signs of fraud

5 most demanding skills in cyber security by ICSS

Category : Blog

5 most demanding skills in cybersecurity

 

The demand for cybersecurity professionals has become an essential part of all modern organizations. Due to the lack of expertise and insufficient skills, companies are unable to find and locate suitable candidates for this field. If you want to start your career in cybersecurity and have the ability to get an advantage of this opportunity, then you must increase your expertise and build the right skills.

 

The main issue is, technology is reshaping itself with the new innovations hence a cybersecurity professional must have to be active and updated with the new sets of technology. This article will help you to take a look at the required cybersecurity skills for 2019.

 

 

Internet of Things (IoT):

Although people understand the importance of “internet of things” (IoT) but still security loopholes exist. The cybercriminals get advantages of such loopholes and also they try to exploit the gaps. Therefore, you must need to develop your skills in IoT in order to safe interconnected networks and devices. With IoT practices being adopted by numerous industries, from agriculture to commercial, management to energy, picking up strong IoT security skills can aid you seriously in the coming years.

iot picture icss

 

Vulnerability Valuation:

 In the modern organization, a large amount of big data is used and transferred from one device to another. Data continues to increase in value hence you must need to apply new rules and regulations to safe data effectively. In modern devices, all the data gathered by manufacturers, businesses, and banks contain personally identifiable data that can also be used for malicious activities, like financial fraud and identity theft, etc. To secure your data on a regular basis, you need to continue with a vulnerability assessment.

 

VAPT Vulnerable

 

Customer Services:

In many organizations, the IT section requires a vast and energetic number of people working in tandem to fulfill tasks and meet necessities. These teams, including cybersecurity, must possess the customer service skills as there is a persistent need to communicate with the organizations’ internal staff or other partners, clients, and co-workers.

 

customer service

 

Malware Defense:

 Organizations including small enterprises never want their personal information and privacy to be leaked on the internet. Numerous incidents are observed where companies lost their precious data and brand perception after cyber-attack. Therefore, you must have the skills to handle such situations. In order to understand the need of the modern world, EH Academy offers the all-time best “Complete Ethical Hacking Bundle”. This bundle is well-designed and equipped with modern techniques of ethical hacking.

 

malwar

 

 

Artificial intelligence & Machine Learning:

Modern technology has minimized the involvement of humans. The same rule applies to cybersecurity professionals. You must have sufficient skills to use machine learning and artificial intelligence to identify new loopholes and weaknesses and averting malicious botnet or Ransomware attacks.

 


Why IOT industry is being targeted by Hackers?

Category : Blog

Why IOT industry is being targeted by Hackers?

We are living in a connected world, where nearly all devices are becoming connected.

The internet of things (IoT) is coming up in a big way and with amazing opportunities – but it also brings serious security threats.

IoT connects physical devices, so the hacking of IoT devices has the potential to cost human lives.

Further implications can be access to unauthorized and potentially confidential data that can then be used for other crimes.

 

Let Us See what our CEO, Abhishek Mitra have to say about IoT Hacking:

 

What type of attacks IOT based industry have seen in past?

 

 IoT devices have potential security vulnerabilities like weak passwords and other poor default security settings, lack of encryption when devices communicate over the network, and poor (or non-existent) user-serviceable device management.

Due to these vulnerabilities, many IoT devices are surprisingly easy to attack.

 

Ransom attack

Researchers at cybersecurity firm McAfee called the past months “the quarter of data dumps” in an alarming report released on Wednesday. 

The 40-page survey of the security landscape found more than 2.2 billion stolen account credentials were made available on the cybercriminal underground this quarter and hackers had even figured out ways to break into Wi-Fi enabled coffee makers.

“The impact of these threats is very real,” said Raj Samani, McAfee fellow and chief scientist.

“It’s important to recognize that the numbers, highlighting increases or decreases of certain types of attacks, only tell a fraction of the story. Every infection is another business dealing with outages, or a consumer facing major fraud. We must not forget for every cyberattack, there is a human cost.”

News from where this incident have been taken.

 

 

It is a small video on Ransom Attack:

 

 

IOT BOTNET ATTACK

A new IoT botnet named Ares is infecting Android-based devices that have left a debug port exposed on the Internet.

Among this botnet’s most common victims are Android set-top boxes manufactured by HiSilicon, Cubetek, and QezyMedia, cyber-security firm WootCloud said today. Check Out Here

 

VIDEO ON BOTNET RECENTLY SHOWCASE IN 2019:

 

 

 

What kind of action or preventive measures have saved the industry from being hacked and face humiliation?

 

  1. Learn how to maintain the security of IoT devices.Consumers need to protect their IoT devices the same way they would their smartphones, tablets and home computers. Look for ways to set strong passwords, reading the manuals for instructions on how to lock down these devices.

 

  1. Clean out old apps.Many of us tend to keep apps indefinitely, even if we don’t use them. Check your devices periodically and delete apps you no longer use.

 

  1. Own your online presence.Understand what information your devices collect and how they it is managed and stored.

 

  1. Do your research.Before you purchase an IoT device, do a search to see if it has had security problems with it and if it can be easily hacked.

 

  1. Change the default setting on the home router.This is worth reiterating: Strong passwords on home routers can prevent the type of DDoS that happened last Friday to Dyn.